Pull Model from the Implementation Standpoint. Jack Visoky and Joakim Wiberg Rockwell Automation and HMS. October 10, 2018

Transcription

1 Pull Model from the Implementation Standpoint Jack Visoky and Joakim Wiberg Rockwell Automation and HMS October 10, 2018

2 Pull Model Background Pull Model was added to CIP Security (Volume 8) in May of 2018 Allows for a device to automatically request a certificate Discovers and EST Server using DNS-SD Uses EST to request a certificate Certificate Commissioning Server EtherNet/IP Device COTS CA EST Server EST 2

3 Pull Model Specification Limitation Volume 8 describes precisely how a device should behave to discover and subsequently request a certificate Standard technologies are used, mechanisms given to disable this, etc However, no information is given on how the user should set up the EST server Under what conditions should a device be granted a certificate What type of authentications are necessary/possible Are there any common options for this? As this is so open-ended, it doesn t make sense to put this information within the CIP Specification However, it is still likely to be quite useful to users 3

4 Various Models for Granting a Certificate This paper discusses a few models which are likely to be useful for a large amount of users implementing the Pull Model Models discussed here can be combined and modified These are simple examples that seem to be generally applicable There is no one-size-fits-all solution here This information is meant to provide guidance Combined with a proper threat model a user can apply the appropriate level of security 4

5 Vendor Certificate Base Approval When a device connects to an EST server, it must do so over a TLS connection The device will use its default certificate to do so (as it has not yet been provisioned) In many cases this default certificate is signed by an ODVA member company (referred to as a Vendor Certificate) EST server could be set up such that any device which presents a valid Vendor Certificate from a list of trusted vendors is granted a certificate CIP Security Device EST Request (TLS Connection Authenticated Via Client Certificate) EST Server with CA IF [Signed by Trusted Vendor] THEN Grant Certificate ELSE Reject 5

6 When a device contacts the EST server the server could pend on approval from an administrator The EST server would send a notification (potentially , SMS, etc ) to the admin and allow for remote approval Included in this could be information about the request, including IP address, serial number, etc Approval here is somewhat manual so scalability would be a concern Also if remote approval is allowed then authenticating that communication is also important Administrator Approval Based on Notification CIP Security Device EST Request EST Server with CA Approve OR Reject Out-of-band Notification Administrator 6

7 Approval Based on a List of Serial Numbers Administrator could pre-configure the EST server with a list of serial numbers of devices in inventory Based on the initial request via the default certificate the device could be granted a certificate Default Certificates have Vendor ID and Serial Number, this could be matched to the list Note that security is lessened significantly if this is a self-signed certificate; Vendor Certificate works much better CIP Security Device EST Request (with Serial Number Information in Client Certificate) EST Server with CA Check for Serial Number Present or Not Present Serial Number List 0x84B3AA 0x7482A8 0x942CF5 7

8 Username and Password (Software Only) EST has a provision to allow for a username and password along with the certificate request For software that is a CIP endpoint, or any device with a human interface, a username and password could be requested Mechanism for entering this information is of course not standardized Need to ensure passwords are managed properly User CIP Security Device with Human Interface EST Request (Username and Password also transmitted according to EST protocol) EST Server with CA 8

9 Approval via a Provisioning Certificate A provisioning certificate could be pre-loaded into a device Possibly through a removable media channel utilizing a smart card Protection of private key and certificate is paramount Mechanism is not standardized, would necessarily be vendor specific Risks around losing control of the removable media with private key and certificate CIP Security Device EST Request (TLS connection established With Provisioning Certificate as Client Certificate) EST Server with CA Provisioning Certificate 9

10 You ask for a certificate, you get a certificate! Obvious security issues Global Grant Could be useful for small systems with a hardened network, or lab environments for testing Just get the system up a running without worrying about security (?) CIP Security Device EST Request EST Server with CA Immediate Grant 10

11 Several models explored Combinations possible Ultimate implementation should be driven by a threat model Tradeoffs can be made between security and usability Conclusions Other countermeasures (e.g. Intrusion Detection Systems) can compensate for potential security drawbacks of a given model 11

12 THANK YOU